The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem∗ Qi Chengyand Shigenori Uchiyamaz April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman problem over finite fields, whose time complexity depends on the effective bound in the Uniform Boundedness Theorem (UBT). We show that curves which are defined over a number field of small degree but have a large torsion group over the number field have considerable cryptographic significance. If those curves exist and the heights of torsions are small, they can serve as a bridge for prime shifting, which results an efficient nonuniform algorithm to solve DDH on finite fields and a nonuniform algorithm to solve elliptic curve discrete logarithm problem faster than the known algorithms. In the other words, if the Decisional Diffie-Hellman problem over finite fields turns out to be nonuniformly hard, then the effective bound in UBT should be very small. 1 Introduction Since the proposal of the concept of public-key cryptography, certain kinds of computational problems such as the integer factoring, the discrete logarithm problem, the Diffie-Hellman problem [3] and the RSA problem [15] have been much researched for the last two decades. So far, these computational problems are widely believed to be intractable. One of the most important topics in cryptography is to propose a practical and provably-secure cryptographic scheme under such reasonable computational assumptions. Here, we usually say a cryptographic scheme is provably secure if it is proven to be as secure as such an intractable computational problem. Moreover, in order to prove the security of a cryptographic scheme, we sometimes use other kinds of computational problems what we call decisional problems such as the Decisional Diffie-Hellman problem, or the DDH problem for short. This kind of decision problem was firstly introduced in [6] to prove the semantical security of a public-key encryption scheme from a cryptographic point of view. Since then, such a decisional problem has been typically employed to prove the semantical security of public-key encryption schemes such as the ElGamal and Cramer-Shoup encryption schemes [4, 17, 2]. More precisely, the Cramer-Shoup encryption scheme is secure against adaptive chosen ciphertext attack under the DDH and the universal one-way hash assumptions. The ∗Part of the research was done while the first author was a student in the University of Southern California and the second author was visiting there. The first author was partially support by NSF grant CCR-9820778. ySchool of Computer Science, University of Oklahoma, Norman, OK 73019, USA zNTT Laboratories, 1-1 Hikarinooka, Yokosuka-shi, 239-0847 Japan 1 DDH problem is especially useful and has a lot of applications, so it has been very attractive to cryptographers. For a survey of the DDH problem, see [13, 1]. 1.1 Preliminary Now, we briefly review the definitions of the DDH and related problems. In the following, G denotes a multiplicative finite cyclic group generated by an element g from G, and let l be the order of G. From a cryptographic point of view, we may assume that l is prime. The Discrete Logarithm problem: Given two elements x and y, to find an integer m • so that y = xm. The Diffie-Hellman problem: Given two elements gx and gy, to find gxy. • The Decisional Diffie-Hellman problem: Given two distributions (gx, gy, gxy) and • (gx; gy; gz), where x; y; z are randomly chosen from Z=lZ, to distinguish between these two distributions. In other words, given three elements gx, gy and gz, where x; y; z are chosen at random from Z=lZ, to decide whether xy z (mod l) or not. ≡ It is easy to see that the Diffie-Hellman problem can be efficiently reduced to the Discrete Log- arithm problem and the DDH problem can be efficiently reduced to the Diffie-Hellman problem. So far, the best known algorithm for these problems over a general group, is a generic algorithm such as the Baby-Step Giant-Step (BSGS) and Pohlig-Hellman. Their run time are given by O(pl), where l is the order of the base group G. Besides, Shoup [16] showed that the lower bound on computation of the DDH problem is the same as that of the Discrete Logarithm problem under the generic model, i.e., the lower bound is given by cpl, where c is some constant, for the DDH problem as well as the Discrete Logarithm problem. More precisely, Shoup showed that an algorithm such as the BSGS is the best possible generic algorithm for the DDH, Diffie-Hellman and Discrete Logarithm problems. When it comes to relationships between these problems, Maurer and Wolf [10] showed that the Discrete Logarithm problem can be reduced to the Diffie-Hellman problem, if there exists some auxiliary group defined over Fl and it has certain nice properties. More precisely, the Maurer and Wolf's idea is given by the following. An auxiliary group can be taken as the rational points on an elliptic curve defined over Fl whose order is sufficiently smooth. We can easily solve the Discrete Logarithm problem over this elliptic curve by using the Pohlig-Hellman algorithm. Furthermore, since we can reduce the Discrete Logarithm problem over G to that over this elliptic curve by employing the Diffie-Hellman oracle, the Discrete Logarithm problem over G can be reduced to the Diffie-Hellman problem. Namely, in this case, we can say that the Diffie-Hellman problem is as hard as the Discrete Logarithm problem. On the other hand, very recently, Joux and Nguyen [8] presented very interesting examples such that the DDH problem is easy while the Diffie-Hellman problem is as intractable as the Discrete Logarithm problem over certain groups of the rational points on elliptic curves defined over finite fields. It is obvious that the DDH problem over an elliptic curve defined over a finite field is very easy if we can compute a pairing such as the Weil and Tate pairing. Actually, we assume that ; l is the l-th Tate pairing, where l is prime and also the DDH problem over the h i xy group generated by a point P whose order is prime l, then we have xP; yP l = P; P and h i h il 2 z zP; P l = P; P . So, in this case, deciding whether xy z (mod l) or not is very easy unless h i h il ≡ P; P l = 1. Anyhow, in such a case, the DDH problem can be solved in polynomial time on the sizeh ofi the input. Here we note that we are not able to evaluate the Tate pairing for all elliptic curves but special classes of curves such as supersingular and trace 2 elliptic curves. Besides, as mentioned above, according to the result by Maurer and Wolf, if we can generate some auxiliary group for these elliptic curves which satisfy certain good properties, the Diffie-Hellman problem is as hard as the Discrete Logarithm problem. That is, Joux and Nguyen presented supersingular and trace 2 elliptic curves with such good auxiliary groups (see for details in [8]). This observation raises the following question: Is there an efficient reduction from the DDH problem in a finite field to the DDH problem over some special elliptic curve? This paper will explore the possibility. 1.2 Our results This paper proposes an attack against the DDH problem in finite fields, whose efficiency relies on the number of torsion points on an elliptic curve over number fields. Suppose that our target finite field is Fp. The prime l is the largest prime factor of p 1. Let K be a number field and [K : Q] = d and an elliptic curve defined over K. The celebrated− Uniform Boundedness E Theorem asserts that the number of K-ratinal torsion points on E is bounded by a constant Bd depending only on d. Current version of UBT shows that the bound Bd depends exponentially on d. If this bound is effective, then for a prime l, there exist a number field K and an elliptic curve =K such that [K : Q] logO(1) l and : cy2 = x3 + ax + b has non-trivial K-rational l-torsion points.E In addition, assume≤ E 1. has multiplicative reduction E at a place above p; E 0 2. All the K-rational l-torsions reduce to non-singular points on E0; 3. The y-coordinates of all the torsions have low heights. We can efficiently map the elements in the l-part of the Fp∗ to the points on E0. Suppose that p-adic representation of of certain precision is given, we then find the p-adic representations E of the corresponding torsions on up to the precision, namely, we lift the points on E0 to the torsions on . Lifting to torsionsE instead of regular points has several potential advantages. 1) the heightsE of torsions may not explode by multiplication of a big number, while the heights of regular points certainly do. After all, the height will get back to 0 if we multiple the order. 2) it is much easier to calculate the lifted point, because in addition to the curve equation, we have one more equation defining the torsion. There is no problem to compute the p-adic coordinates of the global torsions up to any precision. Since the degree of K is low, we employ LLL-algorithm to get the minimum polynomials of the coordinates of the points. There is a disadvantage with lifting to torsions. We cannot apply the 2-descent method to solve the discrete logarithm problem among global points (torsions).